This summer saw the release of the Cisco 2014 Midyear Security Report, the latest examination of “weak links” in organizations – such as outdated software, bad code, and user errors – that could pose serious security threats.

The Report indicated an unusual increase in the number of malware within vertical markets, malicious botnets, and standard “Man-in-the-Browser” attacks (traffic is redirected to websites that host malware). All of these leave organizations vulnerable to exploits through DNS queries, exploit kits, malvertising, ransomware and other methods.

Most interesting, though, is the report’s insistence that organizations are spending too much time focusing on high-profile vulnerabilities, rather than on high-impact, common and stealthy threats. While there’s no doubt that boldface vulnerabilities, such as the recent Heartbleed threat, need to be addressed, it’s a mistake to think that attackers have abandoned weaknesses found in low-profile legacy applications and infrastructure.

What the Report underlines to me is that the security landscape continues to be vast and constantly evolving. It’s imperative that organizations be aware of every potential threat, whether large or small. This Report, along with others released in the market, are a means for organizations to educate themselves so they are better prepared.

It’s not uncommon for me to run into people during business trips who ask about the validity of such reports. “Are they really useful? Or are they just a marketing tool?”

On the surface it does appear that many security reports tell the same story: there are a lot of threats out there and you need to be prepared. But there are two key things to remember.

First, companies like Cisco have a unique perspective on the industry and the resources to carry out vital examination. The research conducted is in-depth, with deep data and metrics that give a detailed analysis of the situation, not a cursory glance. And of course, we do more than simply tell you about security threats; we also provide potential solutions, something that would not be possible if we didn’t have a clear understanding of the situation.

Second, in my experience, there are still a large number of organizations that don’t understand how to approach the many threats that exist. Organizations have to stop thinking like consumers when it comes to security threats. A person at home whose computer has been compromised by a virus, for example, has more control over the situation and is usually able to solve the problem quickly and easily with a number of available tools – many of which are free.

Organizations, however, have to deal with more complex challenges and need to assume that they will, inevitably, be compromised. This means they need to go beyond mere prevention and understand what their critical data is and have the proper detection tools – and people – in place.

That’s why at Cisco, we tell our customers they need to be ready across the attack continuum – before, during and after – they are attacked. Investing a balanced amount of time and effort across these phases results in a business that can limit the attack surface (before), identify an attack when it happens (during) and be ready to react and restore normal operations when an attack is successful (after).

I think that resources such as the Cisco Midyear and Annual Security Reports help organizations make the decisions necessary in order to remain protected and prepared across the attack continuum. Do you agree? Leave a comment below, and download the Midyear Security Report on our website.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.